210-255 · Question #118
Employees are allowed access to internal websites. An employee connects to an internal website and IDS reports it as malicious behavior. What is this example of?
The correct answer is C. false positive. When an IDS flags a permitted and legitimate action as malicious, the alert is a false positive - an incorrect detection of a threat that does not exist.
Question
Employees are allowed access to internal websites. An employee connects to an internal website and IDS reports it as malicious behavior. What is this example of?
Options
- Atrue positive
- Bfalse negative
- Cfalse positive
- Dtrue negative
How the community answered
(31 responses)- A3% (1)
- C94% (29)
- D3% (1)
Why each option
When an IDS flags a permitted and legitimate action as malicious, the alert is a false positive - an incorrect detection of a threat that does not exist.
A true positive means the alert correctly identified real malicious behavior, but access to the site is authorized so no actual threat occurred.
A false negative means a real attack occurred but was NOT detected; the IDS did generate an alert, so this is not a missed detection.
A false positive occurs when a security control incorrectly identifies benign, authorized activity as malicious. Because the employee has explicit permission to access the internal website, the IDS alert is inaccurate, making it a false positive rather than evidence of a real threat.
A true negative means no threat existed and no alert was raised; an alert was raised here, so this cannot be a true negative.
Concept tested: IDS false positive vs true positive classification
Source: https://csrc.nist.gov/glossary/term/false_positive
Topics
Community Discussion
No community discussion yet for this question.